From 3020d3d94e3d78bb829de0ca89abe0ae5ec27959 Mon Sep 17 00:00:00 2001
From: Ryan Ahearn <ryan.ahearn@gsa.gov>
Date: Tue, 8 Nov 2022 13:51:39 -0500
Subject: [PATCH] Add github action for deploying egress proxy

---
 .github/actions/deploy-proxy/action.yml       | 33 +++++++++++++++++++
 .github/workflows/deploy-demo.yml             |  6 ++++
 .github/workflows/deploy.yml                  |  6 ++++
 .../egress_proxy/notify-api-demo.allow.acl    |  3 ++
 .../egress_proxy/notify-api-demo.deny.acl     |  0
 .../egress_proxy/notify-api-staging.allow.acl |  3 ++
 .../egress_proxy/notify-api-staging.deny.acl  |  0
 7 files changed, 51 insertions(+)
 create mode 100644 .github/actions/deploy-proxy/action.yml
 create mode 100644 deploy-config/egress_proxy/notify-api-demo.allow.acl
 create mode 100644 deploy-config/egress_proxy/notify-api-demo.deny.acl
 create mode 100644 deploy-config/egress_proxy/notify-api-staging.allow.acl
 create mode 100644 deploy-config/egress_proxy/notify-api-staging.deny.acl

diff --git a/.github/actions/deploy-proxy/action.yml b/.github/actions/deploy-proxy/action.yml
new file mode 100644
index 000000000..d301aa40a
--- /dev/null
+++ b/.github/actions/deploy-proxy/action.yml
@@ -0,0 +1,33 @@
+name: Deploy egress proxy
+description: Setup egres space and deploy proxy
+inputs:
+  cf_space:
+    description: The space the target app exists in.
+    required: true
+  app:
+    description: application name to be proxied.
+    required: true
+runs:
+  using: composite
+  steps:
+    - name: Set restricted space egress
+      shell: bash
+      run: ./terraform/set_space_egress.sh -t -s ${{ inputs.cf_space }}
+    - name: Set public space egress
+      shell: bash
+      run: ./terraform/set_space_egress.sh -p -s ${{ inputs.cf_space }}-egress
+    - name: Create temp directory
+      shell: bash
+      id: create-temp-dir
+      run: echo "path=$(mktemp -d -t egress-XXXXXXXXXX --tmpdir=$RUNNER_TEMP)" >> $GITHUB_OUTPUT
+    - name: Clone egress-proxy
+      shell: bash
+      run: git clone https://github.com/rahearn/cg-egress-proxy.git ${{ steps.create-temp-dir.outputs.path }}
+    - name: Copy config files
+      shell: bash
+      run: cp ./deploy-config/egress_proxy/${{ inputs.app }}.*.acl ${{ steps.create-temp-dir.outputs.path }}
+    - name: Deploy proxy
+      shell: bash
+      run: >
+        cd ${{ steps.create-temp-dir.outputs.path }};
+        ./bin/cf-deployproxy -a ${{ inputs.app }} -p egress-proxy -e egress_proxy
diff --git a/.github/workflows/deploy-demo.yml b/.github/workflows/deploy-demo.yml
index 813ca0c19..c973d6e89 100644
--- a/.github/workflows/deploy-demo.yml
+++ b/.github/workflows/deploy-demo.yml
@@ -65,3 +65,9 @@ jobs:
           --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
           --var AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID"
           --var AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY"
+
+    - name: Deploy egress proxy
+      uses: ./.github/actions/deploy-proxy
+      with:
+        cf_space: notify-demo
+        app: notify-api-demo
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 50c423ea3..0e8f29a7b 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -71,6 +71,12 @@ jobs:
           --var AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID"
           --var AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY"
 
+    - name: Deploy egress proxy
+      uses: ./.github/actions/deploy-proxy
+      with:
+        cf_space: notify-staging
+        app: notify-api-staging
+
   bail:
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion == 'failure' }}
diff --git a/deploy-config/egress_proxy/notify-api-demo.allow.acl b/deploy-config/egress_proxy/notify-api-demo.allow.acl
new file mode 100644
index 000000000..59ba51ac1
--- /dev/null
+++ b/deploy-config/egress_proxy/notify-api-demo.allow.acl
@@ -0,0 +1,3 @@
+email.us-west-2.amazonaws.com
+sns.us-west-2.amazonaws.com
+logs.us-west-2.amazonaws.com
diff --git a/deploy-config/egress_proxy/notify-api-demo.deny.acl b/deploy-config/egress_proxy/notify-api-demo.deny.acl
new file mode 100644
index 000000000..e69de29bb
diff --git a/deploy-config/egress_proxy/notify-api-staging.allow.acl b/deploy-config/egress_proxy/notify-api-staging.allow.acl
new file mode 100644
index 000000000..59ba51ac1
--- /dev/null
+++ b/deploy-config/egress_proxy/notify-api-staging.allow.acl
@@ -0,0 +1,3 @@
+email.us-west-2.amazonaws.com
+sns.us-west-2.amazonaws.com
+logs.us-west-2.amazonaws.com
diff --git a/deploy-config/egress_proxy/notify-api-staging.deny.acl b/deploy-config/egress_proxy/notify-api-staging.deny.acl
new file mode 100644
index 000000000..e69de29bb